CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cardinal RAT Remained Hidden for Two Years

A recently discovered remote access Trojan (RAT) that abuses Excel macros in an innovative way has been active for more than two years, Palo Alto Networks security researchers reveal.

A recently discovered remote access Trojan (RAT) that abuses Excel macros in an innovative way has been active for more than two years, Palo Alto Networks security researchers reveal.

Dubbed Cardinal RAT, the malware had a very low volume over the two-year timeframe, with only 27 total samples found to date. The manner in which the threat is delivered, however, is both innovative and unique: malicious macros in Microsoft Excel documents are used to compile embedded C# (C Sharp) source code into an executable that downloads the RAT.

The delivery documents, which the Palo Alto Networks researchers refer to as the Carp downloader, use various financial-related lures to trick users into executing them. The malicious macros were designed to generate two paths, to a randomly named executable, and to a randomly named C# file in the %APPDATA%Microsoft folder.

Next, it base64-decodes the embedded C# source code and writes it to the C# file path, after which it compiles and executes the C# source code using the Microsoft Windows built-in csc.exe utility. The executed code simply downloads the Cardinal RAT from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), decrypts it using AES-128, and then executes it.

The malware was named Cardinal RAT based on the internal names used by the author within the observed Microsoft .NET Framework executables, the security researchers reveal. Because only 27 unique samples of the RAT have been found, the malware managed to remain hidden although some of these samples are dating back to December 2015.

When executed on an infected system, the malware checks its current working directory and enters an installation routine if the directory doesn’t match the expected path. The threat copies itself to a randomly named executable in the specified directory, after which it compiles and executes embedded source code featuring watchdog functionality.

The newly spawned executable ensures that a specific registry key is set, and periodically queries the key to verify it is set appropriately and to re-set it if it has been deleted. This key acts as a persistence mechanism, as it ensures the RAT is executed every time a user logs on.

The watchdog process checks that the Cardinal RAT process is always running and that the executable is located in the correct path. If one of these conditions isn’t met, it either spawns a new instance of Cardinal RAT, or writes the malware to the correct location.

Advertisement. Scroll to continue reading.

After completing the installation routine, the RAT injects itself into a newly spawned process, attempting to use one of six executables for this process: RegAsm.exe, RegSvcs.exe, vbc.exe, csc.exe, AppLaunch.exe, or cvtres.exe.

Some of the malware samples are configured with a single command and control (C&C) server, while others use multiple host and port combinations. Cardinal RAT parses a configuration, then attempts to connect to the C&C. Data is transmitted in two pieces: a DWORD specifying the data length, and the data itself, encrypted using a series of XOR and addition operations, followed by decompression using the ZLIB library, Palo Alto Networks reveals.

The RAT sends a wealth of information to the server, including username, hostname, campaign identifier, Microsoft Windows version, victim unique identifier, processer architecture, and malware version (1.4). It was designed to collect victim information, update settings and itself, act as a reverse proxy, execute commands, uninstall itself, recover passwords, download and execute new files, log keys, capture screenshots, and clean cookies from browsers.

Related: Modular Felismus RAT Emerges

Related: macOS RAT Uses 0-Day for Root Access

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.